10 tips for tax pros to avoid phishing scams

10 tips for tax pros to avoid phishing scams

By Jeff Stimpson

Published September 17 2017, 5∶09pm EDT

The inbox seems to have become tax preparers’ worst enemy in this age of phishing e-mails designed to trick preparers into volunteering critical information. Crooks convert stolen data into phony refunds faster than ever, and it’s easy to think that time-tested protections aren’t enough anymore.

The IRS shared its top 10 tips and practical examples for tax pros to protect themselves – and their clients – from taking the bait. (A slideshow version of this article is available.)

Spear itself. Nine out of 10 cyber-attacks and data leaks begin with spear phishing e-mail, often tailored to individual practitioners. Spear-phishing crooks pose as familiar entities, and have usually done extensive research to target a specific audience – tax pros are favorites – to gain passwords or install malware.

Red flags: The supposedly familiar source of the e-mail; conversational but ungrammatical and oddly constructed language; calls to action urging opening of a link (often a “tiny” URL to mask the true destination).

Hostile takeovers. In these mushrooming schemes, a thief manages to steal or guess the username and password of a tax pro, resulting in the imaginable and horrific havoc with EFINs, prep software accounts and more. Again, these hardworking thieves do their homework to pose as a familiar organization, potential client, another tax pro, a bank or a cloud-based storage provider. Links or attachments may also load malware on computers to capture keystrokes.

Red flags: Urgent and threatening calls to action; pages that looks like the login pages for IRS e-Services or a prep-software providers.

Day at the breach. In the first five months of this year, about 107,000 taxpayers reported being victims of ID theft — a total actually down from previous years — but the IRS also saw an jump in ID theft involving business-related tax returns, including 1120s and 1120Ss, 1041s and Schedule K-1 filings. The IRS will soon ask tax pros to gather more information on their business clients to help authenticate returns, including Social Security numbers, payment history and parent company information.

Red flag: Potential business clients claiming they don’t currently have an EIN.

Ransom devil. Ransomware attacks are on the rise worldwide, locking computer systems and holding sensitive data hostage until users pay crooks to release the data (though often scammers won’t provide the decryption key even after a ransom is paid). Users generally are unaware that malware has infected their systems until they receive the ransom request.

Red flag: Phishing e-mails.

Remote control. A tax pro’s entire digital network could be at risk for remote takeover by cybercriminals who exploit security weaknesses to access the devices to access client returns, complete and e-file those returns, and then secretly direct refunds to their own accounts. Especially vulnerable are wireless networks, including mobile phones, modems and router devices, printers (clients’ returns might still in the device’s memory), fax machines and televisions that retain their factory issued password settings.

Red flags: Phishing e-mails with attachments.

BEC to the wall. A burgeoning W-2 scam — a.k.a., a business email compromise, or “BEC”– is one of the most dangerous phishing e-mail schemes trending nationwide. A cybercriminal impersonates a company or organization exec’s e-mail address to target a payroll, financial or HR employee with a request for a transfer or funds or a request a list of all employees and their W-2s. This allows crooks to file fraudulent returns that mirror the employees’ actual income, making the fraud harder to detect.

EFIN headache. Criminal syndicates routinely attempt to steal tax pros’ usernames and passwords to access e-Services to obtain the EFIN. Savvy cybercriminals even swipe CAF numbers and may know how to file fraudulent power-of-attorney documents. (Password thefts are one reason the IRS moved to a two-factor authentication process for online tools.)